我创建一个这样的根证书:
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCert(AsymmetricCipherKeyPair pair, System.Security.Cryptography.AsymmetricAlgorithm caKeyy)
{
Org.BouncyCastle.X509.X509V3CertificateGenerator certGen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(10, 0, 0, 0)));
certGen.SetSubjectDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetPublicKey(pair.Public);
certGen.SetSignatureAlgorithm("SHA1withRSA");
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.Public));
certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));
Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(pair.Private);
return x509;
}
我像这样创建最终证书:
public static void generateEndEntityCert(
AsymmetricKeyParameter entityKey,
AsymmetricKeyParameter caKey, System.Security.Cryptography.AsymmetricAlgorithm caKeyy,
X509Certificate caCert)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.Two);
certGen.SetIssuerDN(new X509Name("cn=Autorite1,ou=DC,o=A1"));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.Add(new TimeSpan(7, 0, 0, 0)));
certGen.SetSubjectDN(new X509Name("cn=test,E=test@test.com"));
certGen.SetPublicKey(entityKey);
certGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.Rfc822Name, "example@example.org"));
Org.BouncyCastle.X509.X509Certificate cer = new Org.BouncyCastle.X509.X509Certificate(caCert.CertificateStructure);
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(cer));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
certGen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); certGen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.NonRepudiation));
Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(caKey);
}
我将使用两次证书(根和端)创建一个路径证书,如下所示:
public static IEnumerable<X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
List<X509Certificate> intermediateCerts = new List<X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
rootCerts.Add(new TrustAnchor(x509Cert, null));
else
intermediateCerts.Add(x509Cert);
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams); //<-- the exception here
return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>();
}
我生成了错误的证书?因为我有这个异常:TrustAnchor found but certificate validation failed.
内部异常的值:Public key presented not for certificate signature